Okay,

  Rule name: test4
  Enabled: TRUE
  Command category: all
  Users: asteinfeld
  Hosts: dbduwdu062.dbr.roche.com
  Host Groups: tempsudo

Client dbduwdu062 is matched in the rule by both the hosts and groups entry.

/etc/nsswitch.conf has:

        Netgroups: files sss

Getent netgroup tempsudo returns:

        [jmacklin@dbduwdu062 Desktop]$ getent netgroup tempsudo
        tempsudo              (dbduwdu063.dbr.roche.com, -, dbr.roche.com) 
(dbduwdu062.dbr.roche.com, -, dbr.roche.com)

To the previous ldapsearch request:

        [jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H 
ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com"
        SASL/GSSAPI authentication started
        ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
        additional info: Entry permanently locked.

I am still scratching my head on this one...

Cheers,
Jason

If you look closely, the reason that your admin works is because it appears to 
be matching a sudo rule who has the "ALL" hosts value set.

When you run the non working user, it is attempting to match the 
hostname/hostgroup to the rule and fails to do so.

Try this. Type: getent netgroup hostgroupname <- your host's hostgroup goes 
there.

^ that command should return all of the hosts in your hostgroup. If it does 
not, then check /etc/nsswitch.conf and make sure that netgroup is set to use 
sss.

You will also need to make sure that the output of: domainname or nisdomainname 
matches your expected domain.

Let me know how things look after trying that.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to